DP News – Week 51. The European Commission published the draft of the U.S. adequacy decision.
On 13 December 2022, the EU Commission published the draft of the U.S. adequacy decision that was highly anticipated by privacy practitioners and businesses on both sides of the Atlantic since the invalidation of the EU-US Privacy Shield in July 2020. This is draft is a follow-up to the U.S. President Joe Biden’s Executive Order 14086 “On Enhancing Safeguards For United States Signals Intelligence Activities” dating back to October 2022.
As mentioned Didier Reynders, the European Commissioner for Justice, “Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic. The future Framework will help protect the citizens’ privacy, while providing legal certainty for businesses.”
The draft of the U.S. adequacy decision will have to undergo a series of consultations and examinations, followed by a non-binding opinion of the European Data Protection Board, the Council of the EU and European Parliament. The whole process is expected to be finished by July 2023.
In previous DP News releases – see DP News Week 44 and Week 41 – DPOrganizer highlighted the concerns voiced by several prominent actors like Max Schrems and the data protection authority (DPA) of the German state of Baden-Wuerttemberg. Now, in particular, from the published draft it still remains unclear how equivalence between the notion of proportionality in the U.S, on one hand, and in the EU, on another hand, is struck. So, it would be fair to say that the prospects of the new EU-US framework remain vague in the years to come. In any event, the draft of the decision specifies that “the Commission should on an on-going basis monitor the situation in the United States as regards the legal framework and actual practice for the processing of personal data” and the decision “should be subject to a first review within one year after its entry into force, to verify whether all relevant elements have been fully implemented and are functioning effectively in practice”.
Interestingly, on 14 December, on the website of the Office of the Director of National Intelligence (ODNI), “Directive 126: Implementation Procedures for the Signals Intelligence Redress Mechanism Under Executive Order 14086” was published. As the official press release says, the Directive governs the handling of redress complaints regarding certain signals intelligence activities, specifies the process by which complaints may be transmitted by an appropriate public authority, authorizes and sets forth the process through which the ODNI Civil Liberties Protection Officer shall investigate, review, and order appropriate remediation for a covered violation regarding complaints, as well as communicate the conclusion of such investigation to the complainant, and provide necessary support to the U.S. Data Protection Review Court.